AWS Security ChangesHomeSearch

AWS cli medium security documentation change

Service: cli · 2025-08-10 · Security-related medium

File: cli/latest/reference/codebuild/create-webhook.md

Summary

Added pull-request-build-policy parameter with comment approval requirements

Security assessment

Introduces security controls for pull request builds by requiring comment approvals and defining approver roles. This addresses potential unauthorized code execution risks from untrusted contributors, particularly in fork scenarios. The explicit security controls around approval workflows constitute a security-related update.

Diff

diff --git a/cli/latest/reference/codebuild/create-webhook.md b/cli/latest/reference/codebuild/create-webhook.md
index 3fa30b272..366ea9910 100644
--- a//cli/latest/reference/codebuild/create-webhook.md
+++ b//cli/latest/reference/codebuild/create-webhook.md
@@ -15 +15 @@
-  * [AWS CLI 2.28.4 Command Reference](../../index.html) »
+  * [AWS CLI 2.28.6 Command Reference](../../index.html) »
@@ -77,0 +78 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/codebu
+    [--pull-request-build-policy <value>]
@@ -311,0 +313,35 @@ JSON Syntax:
+`--pull-request-build-policy` (structure)
+
+> A PullRequestBuildPolicy object that defines comment-based approval requirements for triggering builds on pull requests. This policy helps control when automated builds are executed based on contributor permissions and approval workflows.
+> 
+> requiresCommentApproval -> (string)
+>
+>> Specifies when comment-based approval is required before triggering a build on pull requests. This setting determines whether builds run automatically or require explicit approval through comments.
+>> 
+>>   * _DISABLED_ : Builds trigger automatically without requiring comment approval
+>>   * _ALL_PULL_REQUESTS_ : All pull requests require comment approval before builds execute (unless contributor is one of the approver roles)
+>>   * _FORK_PULL_REQUESTS_ : Only pull requests from forked repositories require comment approval (unless contributor is one of the approver roles)
+>> 
+
+> 
+> approverRoles -> (list)
+>
+>> List of repository roles that have approval privileges for pull request builds when comment approval is required. Only users with these roles can provide valid comment approvals. If a pull request contributor is one of these roles, their pull request builds will trigger automatically. This field is only applicable when `requiresCommentApproval` is not _DISABLED_ .
+>> 
+>> (string)
+
+Shorthand Syntax:
+    
+    
+    requiresCommentApproval=string,approverRoles=string,string
+    
+
+JSON Syntax:
+    
+    
+    {
+      "requiresCommentApproval": "DISABLED"|"ALL_PULL_REQUESTS"|"FORK_PULL_REQUESTS",
+      "approverRoles": ["GITHUB_READ"|"GITHUB_TRIAGE"|"GITHUB_WRITE"|"GITHUB_MAINTAIN"|"GITHUB_ADMIN"|"GITLAB_GUEST"|"GITLAB_PLANNER"|"GITLAB_REPORTER"|"GITLAB_DEVELOPER"|"GITLAB_MAINTAINER"|"GITLAB_OWNER"|"BITBUCKET_READ"|"BITBUCKET_WRITE"|"BITBUCKET_ADMIN", ...]
+    }
+    
+
@@ -683 +719 @@ webhook -> (structure)
-  * [AWS CLI 2.28.4 Command Reference](../../index.html) »
+  * [AWS CLI 2.28.6 Command Reference](../../index.html) »